This first code snippet was taken from src/xfrm.c which is the XFRM receiving routine of the Mobile IPv6 Daemon for Linux developed by USAGI Project. As you can read, it initially sets this thread’s state to disable cancellation. Then it checks the received NetLink header’s message type. If it is ‘XFRM_MSG_ACQUIRE’ it will check if configuration entity is equal to ‘MIP6_ENTITY_MN’ as we can read at src/conf.h:

And finally, invoke parse_acquire() to parse that NetLink message. Next, if its type is set to ‘XFRM_MSG_REPORT’ it will immediately pass it for parsing to parse_report(). Both parse_acquire() and parse_report() do not include any checks of the source of the NetLink message. Because of this a user could send such messages which are normally only received by the kernel.
Sebastian Krahmer suggests the following patch to fix this vulnerability:

That checks ‘who->nl_pid’ for non-zero values. If it encounters a different one it will jump to the ‘out’ label that resets thread’s cancel state and returns.
The second routine susceptible to this vulnerability can be found at src/movement.c like this:

This function processes the received NetLink message. The concept is pretty much the same. It just checks the NetLink message’s type and chooses the appropriate processing routine according to that type. As you can see there is no check on the source’s ID in this code either. S. Krahmer’s fix suggestion is the following:

3 Responses

you missed the most important part :)
if you look closer the patch fixes a remote buffer overflow
while handling icmp6 messages. the netlink fix is just to
make it complete but its not a dangerous issue.